1
00:00:00,120 --> 00:00:05,340
Let's talk now about identifying and researching potential vulnerabilities.

2
00:00:05,460 --> 00:00:10,560
So we have our notes here and all I've done is move them off of notepad and into cherry tree because

3
00:00:10,560 --> 00:00:15,140
Cherry Tree is a bit more visual and bigger font for us on video.

4
00:00:15,270 --> 00:00:22,220
And I made two notes I made the main note here of notes and then I made a child node here of vulnerabilities.

5
00:00:22,410 --> 00:00:30,060
So if we recall from our nodes we have 18 4 4 3 and we've identified some findings that we're gonna

6
00:00:30,090 --> 00:00:36,450
write up on a pen test report and those findings are you know a default web page for a poor page was

7
00:00:36,450 --> 00:00:40,980
giving a little bit of information disclosure and the server headers were disclosing some information

8
00:00:40,980 --> 00:00:41,910
as well.

9
00:00:42,270 --> 00:00:46,220
On top of that we've identified some information that we need for research.

10
00:00:46,260 --> 00:00:53,010
Now we've got 80 here and on port 80 we've got this Apache does not SSL in this Open SSL that we could

11
00:00:53,010 --> 00:01:00,540
research and really ran our Nick doe scan we identified something potentially juicy here where mod SSL

12
00:01:00,570 --> 00:01:06,540
2.8 point four falls in line with this which is two point eight and seven or lower which we are are

13
00:01:06,570 --> 00:01:13,110
vulnerable to a remote buffer overflow which may allow a remote shell remote buffer overflow meaning

14
00:01:13,110 --> 00:01:20,850
that we are don't have to be local we can be remote which we are and we can gain access to a remote

15
00:01:20,850 --> 00:01:24,180
shell meaning we can gain access to that machine.

16
00:01:24,180 --> 00:01:25,920
So that's good.

17
00:01:25,950 --> 00:01:27,390
That's really good.

18
00:01:27,390 --> 00:01:34,440
The other one here we see is SMB and we identified Sam aversion version to point two point one a We

19
00:01:34,440 --> 00:01:42,720
also identified a web lies version 2.0 one and we've identified open SDH two point nine P P2 so for

20
00:01:42,720 --> 00:01:48,960
this video we're going to target the low hanging fruit and I put this in order of how I would attack

21
00:01:48,960 --> 00:01:49,500
it.

22
00:01:49,560 --> 00:01:56,970
Now again I always think eighty four for three and one thirty nine four four five are the juiciest To

23
00:01:56,970 --> 00:02:04,520
me this web adviser might be juicy open SSA probably not that juicy so we're gonna do is I'm going to

24
00:02:04,520 --> 00:02:10,700
go ahead and research eighty four for three and we'll research the S&amp;P as well and then I'll leave you

25
00:02:10,700 --> 00:02:17,070
to do a little digging on these just as practice and we can see where we go so from here we're just

26
00:02:17,070 --> 00:02:28,080
going to go out and open up Firefox and we'll go out to Google and on Google we can pick and choose

27
00:02:28,080 --> 00:02:29,850
which one we want to research here.

28
00:02:29,850 --> 00:02:36,810
Now this mod SSL two point point four is probably the juiciest of the items and we might want to start

29
00:02:36,810 --> 00:02:37,170
there.

30
00:02:37,170 --> 00:02:44,760
So let's just say something like mod SSL to point a point for you see the two point eight point seven

31
00:02:44,760 --> 00:02:46,370
exploit showing up by the way.

32
00:02:46,700 --> 00:02:54,030
Will this do you two point eight point four exploit and we'll see what comes up now.

33
00:02:54,030 --> 00:02:56,140
Naughty words naughty words.

34
00:02:56,250 --> 00:02:58,480
We'll just call it open luck OK.

35
00:02:58,650 --> 00:02:59,420
And you could see.

36
00:02:59,460 --> 00:03:00,090
Don't cheat.

37
00:03:00,100 --> 00:03:07,250
Catch tricks is coming up as well but we're gonna go ahead and is openness open this Apache mod and

38
00:03:07,250 --> 00:03:12,460
then we're gonna also open this get hub one and I'll cheat a little bit and tell you why.

39
00:03:12,460 --> 00:03:18,200
Here in a minute so Apache mod SSL two point eight point seven.

40
00:03:18,240 --> 00:03:20,130
Less than twenty point seven.

41
00:03:20,310 --> 00:03:24,800
Scroll through here and it just has the code for us.

42
00:03:24,930 --> 00:03:29,010
Now this is where you have a chance to come through and read the code.

43
00:03:29,010 --> 00:03:33,870
Now it looks like to me that they're just identifying if you've never seen a buffer overflow which you

44
00:03:33,870 --> 00:03:34,860
probably haven't.

45
00:03:34,860 --> 00:03:42,030
There will be one later in the course it's identifying where it's going to have the architecture right.

46
00:03:42,030 --> 00:03:44,600
So the architecture has its own identifier.

47
00:03:44,910 --> 00:03:51,230
So depending on which it looks like this works for quite a bit of different architectures of Linux depending

48
00:03:51,250 --> 00:03:55,380
which Linux you're running is this return address here.

49
00:03:55,380 --> 00:03:57,240
So that's all this is doing.

50
00:03:57,240 --> 00:04:02,250
And then there's going to be code done here I'm guessing for an overflow which you see a bunch of A's

51
00:04:02,310 --> 00:04:04,160
as you're going to see later in the course.

52
00:04:04,170 --> 00:04:05,250
This is this overflow.

53
00:04:05,280 --> 00:04:11,100
So you'll learn to read this over time again like you do not have to code this you do not have to be

54
00:04:12,460 --> 00:04:16,650
you know you don't have to be super good developer but just understanding kind of what's going on and

55
00:04:16,650 --> 00:04:22,300
making sure that you know the code that you download is safe on your computer and it's good to go.

56
00:04:22,300 --> 00:04:25,820
Now this is coming off exploit database so you can.

57
00:04:25,890 --> 00:04:30,480
I wouldn't say assume but you can trust it for the most part that this is safe code.

58
00:04:30,600 --> 00:04:34,890
You have the option here to download the exploit and you actually have the option to download the vulnerable

59
00:04:34,890 --> 00:04:38,870
app as well if you ever want to build out a machine and play on your own.

60
00:04:38,880 --> 00:04:46,350
So we have a little bit information here that just says hey you know this is less than two point eight

61
00:04:46,350 --> 00:04:51,070
point seven open SSL and we've got a remote buffer inflow.

62
00:04:51,600 --> 00:04:53,030
There's nothing else here.

63
00:04:53,400 --> 00:04:54,180
But that's OK.

64
00:04:54,180 --> 00:04:56,940
That's you know this might be good for us.

65
00:04:56,940 --> 00:04:58,930
This is something that we need to note.

66
00:04:59,280 --> 00:05:06,020
So we can copy this and I would put it here and we could just say something like eighty four for three

67
00:05:07,530 --> 00:05:16,980
potentially vulnerable to we'll call it open luck and then we'll just put it here and we'll also we

68
00:05:16,980 --> 00:05:26,820
should also save this open luck and I'll cheat a little bit and tell you guys why is because this open

69
00:05:27,210 --> 00:05:34,370
had the the exploit database form without saying bad words is not going to allow us to work.

70
00:05:34,380 --> 00:05:35,700
It's not going to work.

71
00:05:35,950 --> 00:05:42,330
The the exploit is a little dated and that's why there is a get hub one out there that actually does

72
00:05:42,330 --> 00:05:42,600
work.

73
00:05:42,600 --> 00:05:47,600
So we're going to utilize to get hub one instead when we do get to the exploitation section.

74
00:05:47,610 --> 00:05:53,210
So a little bit of a hint a little bit of a foreshadowing we are going to utilize this exploit.

75
00:05:53,400 --> 00:05:59,610
So we could also go in and research we could say Apache HPD one point three point two zero.

76
00:05:59,610 --> 00:06:06,060
Copy that and come to Google and just say hey I wonder if there's an exploit for that and you would

77
00:06:06,060 --> 00:06:11,370
just search something like this and you could see and hear Apache one point three point two zeros actually

78
00:06:11,370 --> 00:06:13,650
showing up in this vulnerability as well.

79
00:06:14,070 --> 00:06:15,420
So that's good.

80
00:06:15,420 --> 00:06:21,280
And then sometimes we see these Web sites like this see these details these are ok to look at they're

81
00:06:21,440 --> 00:06:22,310
there all right.

82
00:06:22,320 --> 00:06:24,800
Like you come in here and what you want to look for is the score.

83
00:06:24,820 --> 00:06:26,540
Immediately my eyes shift to the score.

84
00:06:26,550 --> 00:06:28,090
I don't care about anything else.

85
00:06:28,290 --> 00:06:33,290
If I see something that's red I get excited but we see no red here.

86
00:06:33,300 --> 00:06:38,970
So I don't think that necessarily this is vulnerable to a remote code execution.

87
00:06:38,970 --> 00:06:44,160
It's got a lot of denial of service but I would want to see like a high score which means a critical.

88
00:06:44,160 --> 00:06:45,690
That's what red is red is critical.

89
00:06:45,690 --> 00:06:51,340
So we've got high moderate and low here but we don't have a critical one.

90
00:06:51,390 --> 00:06:57,180
So this doesn't look like it really probably has anything but it is tied to this which is another wheel

91
00:06:57,180 --> 00:06:59,990
spinning indicator here that hey you know what.

92
00:07:00,000 --> 00:07:04,860
We probably got an X flight here with this thing early something that we should try and that Open SSL

93
00:07:04,860 --> 00:07:06,850
is tied directly to this model ourselves.

94
00:07:06,840 --> 00:07:11,480
We don't really have to research it now let's move on to samba here.

95
00:07:11,540 --> 00:07:12,210
Samba.

96
00:07:12,380 --> 00:07:15,890
Point two point one a Let's copy this.

97
00:07:15,920 --> 00:07:17,280
Let's check for an explain.

98
00:07:17,780 --> 00:07:27,220
So just as simple as is doing this and saying exploit and we've got a few here we've got this samba.

99
00:07:27,220 --> 00:07:30,530
Two point two point eight remote code execution.

100
00:07:30,640 --> 00:07:37,420
We've got samba to point to point X remote buffer overflow and we've got one down here which I love

101
00:07:37,420 --> 00:07:37,870
to see.

102
00:07:37,870 --> 00:07:39,650
This is Rapid 7.

103
00:07:39,660 --> 00:07:44,720
So let's go to rapid 7 First why do I like to see rapid 7.

104
00:07:44,730 --> 00:07:52,680
Well rapid 7 makes Metis Floyd so it looks like this exploit is called samba trance to open and let's

105
00:07:52,680 --> 00:07:54,140
read a little bit about the description.

106
00:07:54,150 --> 00:07:59,850
So it says this explains the buffer overflow found in some versions two point two point zero a two point

107
00:07:59,850 --> 00:08:02,240
two point eight that meets our criteria.

108
00:08:02,250 --> 00:08:05,760
This particular model's Capel explain the fall on x eighty six Linux systems.

109
00:08:05,760 --> 00:08:13,170
That's important to know that do not have the know exact stack options set notes some older versions

110
00:08:13,170 --> 00:08:18,850
read had to not seem to be vulnerable since they apparently do not allow anonymous access to IPC.

111
00:08:18,910 --> 00:08:26,350
So remember we did get anonymous access to IPC earlier when we connected to it via our SMB client.

112
00:08:26,350 --> 00:08:27,780
We never got access to admit.

113
00:08:27,790 --> 00:08:33,370
We could never do anything in IPC we tried to say alas and it said denied but we still logged in.

114
00:08:33,880 --> 00:08:36,040
So we do have anonymous access to IPC.

115
00:08:36,070 --> 00:08:37,450
That's interesting.

116
00:08:37,450 --> 00:08:40,900
And we are potentially running against an next 86 Linux system.

117
00:08:40,900 --> 00:08:42,590
So that's interesting as well.

118
00:08:42,700 --> 00:08:46,690
It looks like we're potentially meeting some of the requirements here.

119
00:08:46,690 --> 00:08:48,540
Now here is where this is great.

120
00:08:48,550 --> 00:08:53,020
You scroll down here and you see module options and look this is Metis boy.

121
00:08:53,080 --> 00:08:54,650
It gives you the module options.

122
00:08:54,650 --> 00:09:01,270
It says hey use exploit Linux samba trans to open and then it tells you hey how to do this.

123
00:09:01,480 --> 00:09:02,970
And then you're good to go.

124
00:09:03,100 --> 00:09:03,970
That's really nice.

125
00:09:03,970 --> 00:09:05,190
I really like that.

126
00:09:05,320 --> 00:09:12,340
So I'm going to copy this one and we'll just come to our notes and we'll say something like one thirty

127
00:09:12,370 --> 00:09:23,270
nine potentially vulnerable to trans to open and we'll lose paste a link here and we could come read

128
00:09:23,270 --> 00:09:25,080
these as well.

129
00:09:25,100 --> 00:09:27,850
So this is the Trans to open overflow here.

130
00:09:27,860 --> 00:09:34,280
This looks like the manual version of the trans to open overflow looks like it is a perl script.

131
00:09:34,430 --> 00:09:37,330
And again it looks like an overflow.

132
00:09:37,760 --> 00:09:41,900
So you'll learn to read these and see what they look like just over time.

133
00:09:41,900 --> 00:09:45,800
But you know you just want to look at the code make sure everything's good to go.

134
00:09:45,800 --> 00:09:47,240
You will need to run this with Perl.

135
00:09:47,240 --> 00:09:48,410
It gives you the options here.

136
00:09:48,410 --> 00:09:55,370
Trans to root Perl what option to select what target type to select your IP address and your target

137
00:09:55,400 --> 00:09:56,630
IP address.

138
00:09:56,630 --> 00:09:58,520
So we'll say this one as well why not

139
00:10:02,990 --> 00:10:06,080
and we'll take a look at the other one and just see what it is

140
00:10:10,670 --> 00:10:15,640
and it looks like it could work for us.

141
00:10:15,630 --> 00:10:23,770
Remote route exploit for samba to point to point X that works against all the Nix distributions samba

142
00:10:23,850 --> 00:10:25,180
that si.

143
00:10:25,440 --> 00:10:27,560
I think this is a possibility as well.

144
00:10:27,990 --> 00:10:30,960
So this is C code here.

145
00:10:31,050 --> 00:10:37,110
We're going to go ahead and just copy this and we'll go ahead and add this to our list as well and we'll

146
00:10:37,110 --> 00:10:37,680
figure it out.

147
00:10:38,620 --> 00:10:42,940
So all we're doing right now is the research OK.

148
00:10:43,070 --> 00:10:45,790
So from here I've showed you the Google way.

149
00:10:46,280 --> 00:10:49,090
Let's say for some reason you want to do this on the fly.

150
00:10:49,100 --> 00:10:55,910
You want to use another tool or you're you know you're in a network and the network has no access you

151
00:10:55,910 --> 00:11:02,410
have no Internet access out you have no research capabilities you can go to the terminal and there's

152
00:11:02,420 --> 00:11:04,130
a great way to research this as well.

153
00:11:05,160 --> 00:11:07,850
So let's go back up to our notes and take a peek.

154
00:11:07,860 --> 00:11:15,350
Now let's take this unique samba to point to point a for example and let's do a tool called search flight.

155
00:11:15,360 --> 00:11:19,700
Now search boy it's going to search for the exploit database.

156
00:11:19,710 --> 00:11:25,080
This whole database here that we're looking through it's brought down onto your machine every time you

157
00:11:25,080 --> 00:11:29,940
update your machine in the database updates it updates down your machine and all those exploits get

158
00:11:29,940 --> 00:11:36,140
downloaded for you already but you could say search point and maybe we search something like samba to

159
00:11:36,180 --> 00:11:40,750
point to point one a let's see what happens no results.

160
00:11:40,750 --> 00:11:42,670
Well OK.

161
00:11:43,120 --> 00:11:43,990
Why is that.

162
00:11:43,990 --> 00:11:46,070
Well let's delete this now.

163
00:11:47,140 --> 00:11:51,710
You can not be too specific with search flight.

164
00:11:51,850 --> 00:11:58,180
The more specific you are the worse off you are because search plate is searching the exact string that

165
00:11:58,180 --> 00:11:58,980
you are using.

166
00:11:59,890 --> 00:12:05,260
Now you see that we search samba and it's searching for samba in a two.

167
00:12:05,260 --> 00:12:05,620
OK.

168
00:12:05,620 --> 00:12:08,320
Now we can start to see some things here.

169
00:12:08,320 --> 00:12:12,370
We see a Linux remote code execution right here and we're going to have to look through these.

170
00:12:12,370 --> 00:12:13,950
Now it's not pretty.

171
00:12:14,020 --> 00:12:14,380
Right.

172
00:12:14,380 --> 00:12:18,240
It's not the prettiest but you see the trends to open does show up.

173
00:12:18,340 --> 00:12:19,720
Now it's not the easiest way.

174
00:12:19,720 --> 00:12:21,090
I do prefer Google.

175
00:12:21,190 --> 00:12:26,380
But if you're in a pinch or you want to look at all the different possibilities and see maybe hey is

176
00:12:26,380 --> 00:12:28,300
there a two point two in here.

177
00:12:28,300 --> 00:12:33,870
So like look samba two point two point zero to two point two point eight OSX.

178
00:12:33,880 --> 00:12:39,550
That's not our operating system but it's called trans to open and we see that over and over and over

179
00:12:39,550 --> 00:12:39,850
again.

180
00:12:39,850 --> 00:12:43,500
So maybe the wheels spin again and it says hey trans to open.

181
00:12:43,510 --> 00:12:46,800
I think that that's potentially what we're looking for here.

182
00:12:46,840 --> 00:12:52,630
And then once we get down to the 3s we know hey we've gone too far this is not our version etc. We could

183
00:12:52,630 --> 00:13:01,270
do the same thing with let's say the mod SSL and we can say something like mod SSL to by type search

184
00:13:01,270 --> 00:13:07,090
but in front of it and do some searching there and we can see OK.

185
00:13:07,090 --> 00:13:09,850
There's denial of service not it.

186
00:13:09,910 --> 00:13:12,370
Two point eight point X potentially.

187
00:13:12,430 --> 00:13:12,940
Right.

188
00:13:12,970 --> 00:13:14,290
And then mod SSL.

189
00:13:14,290 --> 00:13:16,110
Two point eight point seven.

190
00:13:16,150 --> 00:13:18,650
And another thing to look at over here.

191
00:13:18,820 --> 00:13:24,820
Denial of Service denial service remote remote it's huge remote means remote code execution.

192
00:13:24,910 --> 00:13:29,770
So learning to read these as well exploit check Unix.

193
00:13:29,770 --> 00:13:30,000
OK.

194
00:13:30,010 --> 00:13:30,900
We're running on linux.

195
00:13:30,910 --> 00:13:31,760
Check.

196
00:13:32,020 --> 00:13:36,830
Remote code execution check and Apache mod SSL.

197
00:13:36,850 --> 00:13:39,800
Less than two point eight point seven check.

198
00:13:39,940 --> 00:13:44,370
So there's three different versions of this and this is kind of why when I said earlier that you know

199
00:13:44,410 --> 00:13:46,150
they don't really work.

200
00:13:46,180 --> 00:13:47,050
One's been broken.

201
00:13:47,050 --> 00:13:47,920
They've rebuilt it.

202
00:13:48,040 --> 00:13:49,460
I just like the one off get hub.

203
00:13:49,480 --> 00:13:52,140
So we'll play around with that one and just a little bit.

204
00:13:52,390 --> 00:13:53,910
But this is what you're doing.

205
00:13:53,920 --> 00:13:58,010
You're either going out to Google with the information that you find or you're going to search for it.

206
00:13:58,150 --> 00:13:59,680
You're just doing research.

207
00:13:59,680 --> 00:14:04,120
So now we've identified a couple of potential vulnerabilities and we can go from there.

208
00:14:04,120 --> 00:14:10,430
So what I encourage you to do is just do some research on this Web Eliza do some research on open SSD

209
00:14:10,440 --> 00:14:16,870
age see what you can find out just for research sake practice with search boy practice at Google and

210
00:14:16,870 --> 00:14:19,060
then meet me in the next video.

211
00:14:19,060 --> 00:14:24,790
So what I want to do before we get into exploitation I want to give you a quick sneak peek at what your

212
00:14:24,790 --> 00:14:26,430
notes should look like so far.

213
00:14:26,440 --> 00:14:31,180
So you can see what good know keeping is and this is in terms of an assessment.

214
00:14:31,210 --> 00:14:31,930
OK.

215
00:14:32,020 --> 00:14:36,670
Just in terms of an assessment and then from there we're going to practice with some other scanning

216
00:14:36,670 --> 00:14:41,430
tools just to get you familiar with other things than using just an map.

217
00:14:41,470 --> 00:14:44,410
And then finally we'll move into our exploitation.

218
00:14:44,500 --> 00:14:48,130
So I will see you in the next video and we look quickly at our notes.